Which shouldn’t, Engineer Pierro Tito Galla, co-founder of Democracy.net.ph, would very much like remind all of us.

Back to truck up: A month before the May 2016 elections, we learned through the website Philippines, we have your data that the entire Comelec database was hacked. Every Filipino voter’s personal data was presented in that website—name, age, address, phone number, passport, TIN, just to name a few—and they presented in a fairly, easy-to-do manner, for all the world to see. It was preposterous.

The hacking covers such a grand scale that it can haunt you and your children. Galla said the threat can and will stand for another 75 years. “I’m very scared,” said the co-founder of Democracy.net.ph. “Even if I do my best to protect my data, the threat to my person will not go away, not until I die, and maybe not until then.”

We bring this up again, seven months after the fact because the Department of Justice recently recommended that Comelec chairman Andres Bautista be held criminally liable for the incident. Also because, it seems we’ve already forgotten it.

Over chat, Engr. Galla tells us why we shouldn’t take this lightly, why we need to be angry, and after the anger has subsided, what we can do to protect ourselves.

So why did they bother us with the Comeleaks?
“For the lulz,” because they can. Bragging rights, at least that’s what Biteng and De Asis, two people arrested by the PNP, had said.

How petty—just because it was there for the taking.
No. It’s not that voters data wasn’t just there for the taking. Voters data was just not sufficiently secure.

What does that mean, sufficiently secure?
Here’s one one thing that happened: Firewall treated intrusions like legitimate requests. So may firewall security na nga, hindi naman maayos yung policies.

Engineer, you’re an expert on this—what about the incident frustrates you the most?
The fact that Comelec did not have the basics. It always starts with direction. Kung may direction, eh di andiyan na lahat—assessment, capacity building, implementation, auditing, improvement. Eh wala. When the hackers put up the website with all the data na—it was very user-friendly, which showed that the Comelec databases were not encrypted.

Yeah, what happened to the website?
It’s been taken down na, as far as I know.

But why is it such a big deal?
It’s all our personal data—address, telephone number, tax identification number, passport number! Imagine, the threat of identify theft, financial fraud, land grabbing. There are so many possible risks! Any criminal element who is in possession of the databases could hurt any Filipino at any time now.

And that threat will affect us for the next 75 years. Even if I do my best to protect mypersonal data, the threat to my person won’t go away. Not until I die, and maybe not even then. It’s us and our kids.

Is everybody really in danger? I mean, I didn’t register online, I didn’t use the precinct finder. I didn’t touch the internet for anything election-related. I’m in no danger, right?
Wrong. It doesn’t matter that you didn’t do any online stuff related to voting. It matters that you voted. You are part of the records. So anyone who voted is at risk, and so are their kids.

Oh shit. Now we feel the urgency. What can we do?
You can change all your passwords and make them alphanumeric. You can change your security questions, too. Get your authenticated birth certificate, renew your IDs. But that does not mean the threat has gone away. It’s a race against time because getting penetrated is not a question of if. It’s a question of when.

Is this all on us? Is there anything the government can do to protect its citizens?
Yes, basically our government should start with the large data collectors. The National Privacy Commission is now talking about auditing the government for vulnerabilities, which is a fundamental step after policy-direction. The Central Bank is also taking on a very pro-active approach to the problem. It is consistently improving its defenses. They learn from the practices of other central banks.

Well, have they started?
The most recent step the government did is require government agencies who collect data to appoint a data protection office, whose function is to protect citizens’ data.

As soon as the BSP learned about the contents of the compromised data, it started strengthening the identity verification process.

Do you agree with the recommendation that Comelec Chair Andres Bautista be charged?
I agree that Bautista must go through the prosecution process. Let the courts determine the extent of his liability. DOJ now has the ball to prosecute. The NPC can now move forward tand work with agencies to secure our data—SSS, GSIS, BIR, NBI, LTO, PRC, AFP, and others.

But also, the Civil Service Commission (CSC) should also start writing policies and instructions for government employees to implement cyber security on a day-to-day basis, like taking extra care in plugging in USBs. There should be penalties too for lax employees at the CSC and also the NSO, SSS, GSIS, and so on.

Identity documents and documentation procedures must be strengthened—maybe a national ID system must be established to complement existing government IDs.

Sir, does #Comeleaks have anything to do with the so-called election fraud?
Election Fraud? Nah. Those are separate systems. If BBM can show how the Automated Election System was compromised with the leaked databases, we will be able to guess where fraud would have been committed on the precinct level.